Apache Web Server 'mod_dav' Has Null Pointer Bug That May Allow Remote Users to Cause Denial of Service Conditions
SecurityTracker Alert ID: 1005285|
SecurityTracker URL: http://securitytracker.com/id/1005285
(Links to External Site)
Updated: Jun 3 2008|
Original Entry Date: Sep 25 2002
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 2.0.41 and prior versions of the 2.0 series|
A vulnerability was reported in the Apache 2.0 version's 'mod_dav' distributed authoring and versioning (DAV) component. A remote user may be able to trigger a segmentation fault and cause denial of service conditions.|
It is reported that with mod_dav configured with a particular type of back-end provider, a remote user could make a specific HTTP request to cause mod_dav to attempt to use a NULL pointer.
The specific request is not sent by browsers and would usually only occur with certain types of WebDAV clients.
A remote user may be able to cause denial of service conditions.|
The vendor has released a fixed version (2.0.42), available at:|
Vendor URL: www.apache.org/dist/httpd/CHANGES_2.0.42 (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: [ANNOUNCE] Apache 2.0.42 Released|
The Apache HTTP Server Project is proud to announce the fifth public
release of Apache 2.0. This is primarily a bug-fix release, including
updates to the experimental caching module, the removal of several
memory leaks, and fixes for several segfaults, one of which could have
been used as a denial-of-service against mod_dav. A complete list of
the changes since 2.0.40 is available at
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. The most visible and noteworthy addition
is the ability to run Apache in a hybrid thread/process mode on any
platform that supports both threads and processes. This has been shown
to improve the scalability of the Apache HTTP Server significantly in
our testing. Apache 2.0 also includes support for filtered I/O. This
allows modules to modify the output of other modules before it is
sent to the client. We have also included support for IPv6 on any
platform that supports IPv6.
This version of Apache is known to work on many versions of Unix, BeOS,
OS/2, Windows, and Netware. Because of the many advances in Apache
2.0, it is expected to perform equally well on all supported platforms.
Apache 2.0 has been running on the apache.org website since December
of 2000 and has proven to be very reliable.
Apache has been the most popular web server on the Internet since
April of 1996. The August 2002 Web Server Survey by Netcraft (see
http://www.netcraft.com/survey/) found that more web servers were
using Apache than any other software; Apache runs on more than 63%
of the web servers on the Internet.
We consider this release to be the best version of Apache available
and encourage users of all prior versions to upgrade. When doing so,
please keep in mind the following:
This release is not binary-compatible with previous releases, so all
modules need to be recompiled in order to work with this version. For
example, a module compiled to work with 2.0.40 will not work with 2.0.42.
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of
these modules to obtain this information.
For more information and to download the release tarballs, please